HIPAA GUIDANCE: ALTERATION OR WAIVER OF AUTHORIZATION (AWA) Revised: July 9, 2004
|
|
- Cameron Logan
- 5 years ago
- Views:
Transcription
1 HIPAA GUIDANCE: ALTERATION OR WAIVER OF AUTHORIZATION (AWA) Revised: July 9, 2004 This guidance addresses: 1. Criteria a covered function should employ for evaluating an IRB issued AWA to determine its adherence to the HIPAA regulations 2. IRB AWA criteria and a covered function s adherence to the minimum necessary standard for release of PHI identified in a valid AWA 3. Mechanisms available to a covered function for providing PHI identified in an AWA to a researcher 4. Accounting for disclosures when releasing PHI to a researcher outside of the covered function via the AWA mechanism NB: Parts of this guidance are specific to the SUNY-UB HIPAA hybrid entity environment where the SUNY-UB research function, and consequently any SUNY-UB researcher, has been specifically defined as being separate from, and not part of, any HIPAA covered function/entity. It is specifically applicable to all SUNY-UB researchers in any setting dealing with a HIPAA covered function/entity and, separately, all SUNY- UB covered functions.
2 1) Covered function criteria for determining that an alteration or waiver of authorization (AWA) has been appropriately executed by an IRB 45 CFR (i) addresses the documentation that must be provided by an IRB to constitute a valid AWA. Specifically, the required elements are: (1)(i)(A) Issued by an Institutional Review Board (IRB), established in accordance with 7 CFR 1c.107, 10 CFR , 14 CFR , 15 CFR , 16 CFR , 21 CFR , 22 CFR , 24 CFR , 28 CFR , 32 CFR , 34 CFR , 38 CFR , 40 CFR , 45 CFR , 45 CFR , or 49 CFR (2)(i) Identification and date of action. A statement identifying the IRB and the date on which the alteration or waiver of authorization was approved; (2)(ii) Waiver criteria. A statement that the IRB has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria [Note: A covered function is not responsible for separately determining that the criteria identified in (2)(ii) have been met. The covered function is only required to confirm that the alteration or waiver of authorization contains a statement from the IRB comprised of these elements]: (A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; (1) An adequate plan to protect the identifiers from improper use and disclosure; (2) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law (3) Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart (B) The research could not practicably be conducted without the waiver or alteration
3 (C) The research could not practicably be conducted without access to and use of the protected health information. (2)(iii) Protected health information needed. A brief description of the protected health information for which use or access has been determined to be necessary by the IRB pursuant to paragraph (i)(2)(ii)(c) of this section (2)(iv) Review and approval procedures. A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures 1 (2)(v) (v) Required signature. The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRB If a waiver in whole is not issued, the covered function must adhere to the constraints associated with the waiver in part or alteration in whole or in part as identified in the AWA. Any request for PHI by the researcher that falls outside the parameters identified in a valid AWA will require a separate HIPAA PHI research disclosure mechanism to be in place. In general, an AWA issued by an IRB containing these elements may be used by the covered function to release the PHI listed in section (2)(iii) of the AWA to the requesting researcher. The UB IRB currently issues a 2-part AWA. The AWA itself contains all required elements with the exception of (2)(iii) above. The information required for (2)(iii) is contained in a separate UB document titled The Request for Waiver of Individual Authorization for Use of Individually Identifiable Health Information. This document is completed by the researcher and submitted to the UB IRB for its review in determining that AWA criteria under (2)(ii) can be met. Question #1 of this document contains the information that constitutes the required (2)(iii) element of the AWA. This document can be considered part of the AWA provided it is stamped, dated and signed or initialed by the UB IRB. 1 An IRB must follow the requirements of the Common Rule, including the normal review procedures (7 CFR 1c.108(b), 10 CFR (b), 14 CFR (b), 15 CFR (b), 16 CFR (b), 21 CFR (b), 22 CFR (b), 24 CFR (b), 28 CFR (b), 32 CFR (b), 34 CFR (b), 38 CFR (b), 40 CFR (b), 45 CFR (b), 45 CFR (b), or 49 CFR (b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR , 14 CFR , 15 CFR , 16 CFR , 21 CFR , 22 CFR , 24 CFR , 28 CFR , 32 CFR , 34 CFR , 38 CFR , 40 CFR , 45 CFR , 45 CFR , or 49 CFR )
4 Once the PHI identified in section (2)(iii) of a AWA is released to a researcher who is outside of the covered function (i.e., any SUNY-UB researcher), the covered function has no additional HIPAA obligations with regards to the researcher s subsequent use of the information. In particular, the covered function is not responsible for ensuring that the researcher is in or remains in compliance with the representations they made to the IRB, which may or may not be known by the covered function, in order to obtain the AWA. The UB Request for Waiver of Individual Authorization for Use of Individually Identifiable Health Information form provides additional information that is intended for internal UB IRB use in making its determination on whether or not to issue an AWA to the researcher. The information provided in questions 2-6 and the subsequent researcher attestation is not information that a covered function needs to evaluate in determining whether the AWA is valid. As noted in the preceding criteria section, a covered function is not responsible for separately determining that the criteria in (2)(ii) of a valid AWA have been met. The Office of Civil Rights (OCR), which is responsible for compliance with the HIPAA Privacy Regulations, has addressed the broad discretion it permits IRBs in determining that these criteria have been met 2 : Question Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRB) and Privacy Boards reviewing similar or identical research projects? Answer Under the HIPAA Privacy Rule, IRBs and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied. Several of the waiver criteria are closely modeled on the Common Rule s criteria for the waiver of informed consent and for the approval of a research study. Thus, it is anticipated that IRBs already have experience in making the necessarily subjective assessments of risks. While IRBs or Privacy Boards may reach different determinations, the assessment of the waiver criteria through this deliberative process is a crucial element in the current system of safeguarding research participants privacy. The entire system of local IRBs is, in fact, predicated on a deliberative process that permits local IRB autonomy. The Privacy Rule builds upon this principle; it does not change it. Nonetheless, the Department will consider issuing guidance as necessary and appropriate to address concerns that may arise during implementation of these provisions. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about the Common Rule and Institutional Review and Privacy Boards. 2 OCR HIPAA Privacy guidance on Research; December 3, 2002; also available on HHS WEB FAQ ( Answer ID=303, dated 03/03/ :30 PM
5 2) Minimum Necessary and PHI access The HIPAA standard of Minimum Necessary, covered in 45 CFR (b), applies to the release of information associated with an AWA. This impacts the IRB, the SUNY- UB researcher, and the covered function in the following areas: a) IRB Determination of the minimum necessary PHI required by the researcher. The AWA criteria in 45 CFR (i)(2)(ii)(C) restrict an IRB to granting an AWA only for PHI that is specifically required for use in the research study. In granting the AWA, it is incumbent upon the IRB to evaluate the PHI being requested by the researcher and to determine that its use is necessary for the conduct of the research. An IRB may not grant an AWA permitting access to PHI that is not required for use in the study. Specifically an IRB cannot grant an AWA for accessing the entire medical record as a mechanism for permitting the researcher to enter the covered function in order to create a subset PHI dataset from the medical record when that subset of PHI is all that is required for use in the research. b) Covered function determination of the minimum necessary PHI required by the researcher. A covered function may rely on the IRB s determination in this regard as to what constitutes the minimum necessary information required to conduct the research per 45 CFR (d)(3)(iii)(D). This means the covered entity may, without further analysis, provide the researcher with the PHI specifically determined as necessary for the conduct of the research in section (2)(iii) of a valid AWA 3 : Question May a covered entity accept documentation of an external Institutional Review Board's (IRB) waiver of authorization for purposes of reasonably relying on the request as the minimum necessary? Answer Yes. The HIPAA Privacy Rule explicitly permits a covered entity to reasonably rely on a researcher s documentation of an Institutional Review Board (IRB) or Privacy Board waiver of authorization pursuant to 45 CFR (i) that the information requested is the minimum necessary for the research purpose. See 45 CFR (d)(3)(iii). This is true regardless of whether the documentation is obtained from an external IRB or Privacy Board or from one that is associated with the covered entity. 3 HHS WEB FAQ (see footnote 2) Answer ID=217; Category: Privacy of Health Information/HIPAA, Minimum Necessary, Research Uses and Disclosures, Smaller Providers/Small Businesses; Date updated: 07/18/ :01 AM
6 c) Covered function creation of the data set identified as minimum necessary for disclosure to the external researcher. A covered entity may only permit the researcher access to, and use of, PHI that is specifically required for the conduct of the research as identified in section (2)(iii) of a valid AWA. Often, this data resides co-mingled with other PHI in the covered function s PHI repository, e.g., within the medical or dental record. Creation of a data set for use by an external researcher is an activity of the covered function and is not a research activity that can be conducted by the researcher. Specifically, the AWA is not a mechanism by which the researcher may access PHI other than that identified in section (2)(iii) of the AWA, i.e., the researcher may not be given access to a superset of PHI, such as the medical or dental record, in order to create a data set of the required PHI elements identified in the AWA. 3) Mechanisms available to covered functions for providing PHI to a SUNY-UB researcher The covered function s creation of the PHI data set required by the researcher, as identified in (2)(iii) of the AWA, can be approached in basically one of two ways: a) The data set is generated by the covered function through activities of its workforce. b) The data set is generated by a business associate of the covered function, with an appropriately executed business associate agreement (BAA) in place governing the service of creating this data set. In both cases, creation of the data set is an activity of the covered function that falls within the Operations component of its HIPAA Treatment, Payment and Operations activities. Consequently, all access to and use of PHI for this activity constitutes a use of PHI by the covered entity. In instances where the researcher, in a separate and distinct capacity from their research (non-covered function) duties, is also a member of a covered function s workforce, they may created the required data set via mechanism (i) provided that activity is formally part of their separate and distinct job duties within the covered function. Note that per 45 CFR Definitions: Workforce, volunteers are defined to be members of the covered function s workforce. An external researcher who is also a formal volunteer of the covered function could create the required data set by way of this mechanism provided that the covered function has an formally and appropriately established mechanism for appointing volunteers, that this activity is formally defined by
7 the covered function as part of the volunteer s duties, and that volunteers in the covered function are required to fully comply with all aspects of the covered function s HIPAA implementation pertaining to its workforce. If the researcher is not part of the covered function which possesses the required PHI, and the covered function does not have a mechanism for providing the researcher with only the PHI identified in the waiver, then the researcher may perform the dataset creation only via mechanism 3)(b). 4 Mechanism 3)(b) is not recommend for use by SUNY-UB researchers wishing to access PHI within a SUNY-UB covered function. If a SUNY-UB researcher wishes to enter into a BAA with a non-suny-ub covered entity, an appropriate SUNY-UB signatory agent needs to be identified by the UB Director of HIPAA Compliance and the BAA must be vetted by legal counsel associated with the signatory agent. 4) Accounting for disclosures Pursuant to 45 CFR , the covered function must be able to provide an accounting of PHI disclosures. Such an accounting is required when PHI defined in section (2)(iii) of a valid AWA is released by a covered function to a SUNY-UB researcher. An accounting for disclosures is not required for the covered function s use of PHI in creating the PHI dataset as this activity constitutes a use as part of Treatment/Payment/Operations of the covered function, and not a disclosure by the covered function. 4 HHS WEB FAQ (see footnote 2); Answer ID=249; Category: Privacy of Health Information/HIPAA, Business Associates, Limited Data Set; Date updated: 03/03/ :16 PM; generalized from example where BAA is identified as the proper mechanism to be used by a researcher to create limited data required to conduct their research when the covered entity cannot provide this service.
HIPAA and Research at UB
HIPAA and Research at UB Brian Murphy, MS Director, University at Buffalo HIPAA Compliance Office of the President Director, Health Professions IT Partnership Office of the VP for Health Affairs bwmurphy@buffalo.edu
More informationEVMS Medical Group A. RESEARCH USE AND OR DISCLOSURE WITHOUT AUTHORIZATION:
Page 1 of 8 Definitions: Research Research is defined as systematic investigation, including the research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge
More informationThis form is to be used in conjunction with the Application for IRB Review
This form is to be used in conjunction with the Application for IRB Review Study Title: Sponsor/Funding Agency (if funded): Principal Investigator Name: A. What is the purpose of this form? The HIPAA Privacy
More informationCOLUMBIA UNIVERSITY MEDICAL CENTER INSTITUTIONAL REVIEW BOARD (IRB)
COLUMBIA UNIVERSITY MEDICAL CENTER INSTITUTIONAL REVIEW BOARD (IRB) PROCEDURES TO COMPLY WITH PRIVACY LAWS THAT AFFECT USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR RESEARCH PURPOSES Procedures
More informationHIPAA Insurance Portability Act HIPAA. HIPAA Privacy Rule - Education Module for Institutional Review Boards
HIPAA Insurance Portability Act HIPAA HIPAA Privacy Rule - Education Module for Institutional Review Boards The HIPAA Privacy Rule protects the privacy and security of an individual s health information
More informationStandards for Privacy of Individually Identifiable Health Information
Standards for Privacy of Individually Identifiable Health Information 45 CFR 160 and164 as amended: August 14, 2002 Eddie González-Vázquez, MD Research Privacy Officer Suite 622C Main Building PO Box 365067
More informationUNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD USE OF PROTECTED HEALTH INFORMATION WITHOUT SUBJECT AUTHORIZATION
UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD USE OF PROTECTED HEALTH INFORMATION WITHOUT SUBJECT AUTHORIZATION I. PURPOSE To provide guidance to investigators regarding the
More informationHIPPA Research Policy
I. Purpose The purpose of this policy is to clearly define the circumstances under which protected health information (PHI) may and may not be used internally or disclosed externally in connection with
More informationTitle: HP-53 Use and Disclosure of Protected Health Information for Purposes of Research. Department: Research
Title: HP-53 Use and Disclosure of Protected Health Information for Purposes of Research Department: Research I. STATEMENT OF POLICY In order for an investigator to use or disclose protected health information
More informationHHS Proposed Rule Modification for the HIPAA Standards for Privacy of Individually Identifiable Health Information (NPRM)
HHS Proposed Rule Modification for the HIPAA Standards for Privacy of Individually Identifiable Health Information (NPRM) PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS 1. The authority citation for part
More informationUAMS ADMINISTRATIVE GUIDE NUMBER: 2.1
UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1.12 DATE: 04/01/2003 REVISION: 3/1/2004; 12/28/2010; 01/02/2013 PAGE: 1 of 18 SECTION: HIPAA AREA: HIPAA PRIVACY/SECURITY POLICIES SUBJECT: HIPAA RESEARCH POLICY PURPOSE
More informationCOLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH
COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH I. Background The Health Insurance Portability and Accountability Act of 1996 (as
More informationChildren s Hospital of Philadelphia SOP 707 Page Effective Date: Title: Requirements for and
Page: 1 of 6 I. PURPOSE II. III. IV. The purpose of this SOP is to describe the general requirements for documentation of HIPAA authorization and to enumerate the situations where an authorization or waiver
More information7 ATLzr UNIVERSITY OF CALIFORNIA. January 30, 2014
UNIVERSITY OF CALIFORNIA BEPKELEY DAVIS IRVINE LOS ANGELES MERCED RIVERSIDE SAN DIEGO SAN FRANCISCO 4 SANTA BAREARA SANTA CRUZ CHANCELLORS MEDICAL CENTER CHIEF EXECUTIVE OFFICERS LAWRENCE BERKELEY NATIONAL
More informationUBMD Policy for HIPAA Compliant Subject Recruitment
UBMD Policy for HIPAA Compliant Subject Recruitment Approved by Executive Committee on December 5, 2016 I. Statement of Purpose This policy is applicable in the situation where the Principle Researcher
More informationRELEASE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR RESEARCH PURPOSES
RELEASE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR RESEARCH PURPOSES PURPOSE The purpose of this policy is to establish guidelines for the release of Protected Health Information ( PHI ) for research
More informationHIPAA Business Associate Agreement
HIPAA Business Associate Agreement ICANotes LLC doing business at 1600 St Margarets Rd, Annapolis MD 21409 and, doing business at are parties to a Business Associate arrangement as defined under the Health
More informationUniversity of Mississippi Medical Center Data Use Agreement Protected Health Information
Data Use Agreement Protected Health Information This Data Use Agreement ( DUA ) is effective on the day of, 20, ( Effective Date ) by and between University of Mississippi Medical Center (UMMC) ( Data
More informationProject Number Application D-2 Page 1 of 8
Page 1 of 8 Privacy Board The Johns Hopkins Medical Institutions Health System/School of Medicine/School of Nursing/Bloomberg School of Public Health 5801 Smith Avenue, Suite 235, Baltimore, MD 21209 410-735-6800,
More informationHIPAA Basics For Clinical Research
HIPAA Basics For Clinical Research Presented by Marilyn Windschiegl d.b.a. PFS Clinical, all rights reserved Caution HIPAA is huge State laws may trump or stand side by side with federal law, so your state
More informationHuman Research Protection Program (HRPP) HIPAA and Research at Brown
Human Research Protection Program (HRPP) and Research at Brown Version Date: 12/03/2018 I. and Research at Brown A. The Health Insurance Portability and Accountability Act of 1996 () and its regulations,
More informationHIPAA: What Researchers Need to Know
HIPAA: What Researchers Need to Know The Health Insurance Portability and Accountability Act (HIPAA) protects individuals medical records from unauthorized use. Medical records, however, are often integral
More informationTEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT
This HIPAA Business Associate Agreement (this BA Agreement ) is made and entered into by ( Provider ), a, located at, and Texas Southern University, an agency and institution of higher education established
More informationUNIVERSITY POLICY. Adopted: 11/1/2016 Reviewed: 11/1/2016. Revised: Contact:
UNIVERSITY POLICY Policy Name: Hybrid Entity Declaration Section #: 100.1.12 Section Title: HIPAA Policies Approval Authority: Responsible Executive: Responsible Office: RBHS Chancellor/Executive Vice
More informationSUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM
SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM This Subcontractor Business Associate Addendum (the Addendum ) is entered into this day of, 20, by and between the University of Maine System, acting through the
More informationLIMITED DATA SET REQUEST AND DATA USE AGREEMENT
LIMITED DATA SET REQUEST AND DATA USE AGREEMENT For Facility Use Only: Date Request Received: / / Instructions: Carefully review and complete this Request for a Limited Data Set of PHI and Data Use Agreement.
More informationHIPAA Privacy Compliance Plan for Research. University of South Alabama IRB Guidance and Procedures
HIPAA Privacy Compliance Plan for Research University of South Alabama IRB Guidance and Procedures Office of Research Compliance and Assurance CSAB 140 460-6625 Adopted: 4/2/2003 2 HIPAA PRIVACY COMPLIANCE
More informationPresented by Marti Arvin Chief Compliance Officer UCLA Health Sciences
Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences 1 Brief discussion of where we have been and where we are going Discussion of Federal Enforcement Actions Privacy and Security issue
More informationARTICLE 1. Terms { ;1}
The parties agree that the following terms and conditions apply to the performance of their obligations under the Service Contract into which this Exhibit is being incorporated. Contractor is providing
More informationBusiness Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)
Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into by and between Washington Dental Service
More informationExecutive Policy, EP HIPAA. Page 1 of 25
Executive Policy, EP 2.217 HIPAA Page 1 of 25 Executive Policy Chapter 2, Administration Executive Policy EP 2.217, HIPAA Policy Effective Date: June 2017 Prior Dates Amended: None Responsible Office:
More informationE-Protocol Document Checklist and GPS IRB Guide - Students
and GPS IRB Guide - Students Please use this checklist as a guide for the submission of your Exempt, Expedited, or Full Review IRB Applications through the e-protocol system. The following documents are
More informationHARVARD CATALYST DATA USE AGREEMENT FOR LIMITED DATA SETS
HARVARD CATALYST DATA USE AGREEMENT FOR LIMITED DATA SETS This template agreement is available for use by Harvard Catalyst institutions where there is not an Institution specific Data Use Agreement required.
More informationPOLICY FOR THE PROTECTION OF HUMAN SUBJECTS IN RESEARCH
PURPOSE: 1.01 The purpose of this policy is to formalize Oklahoma State University s (hereinafter referred to as OSU or the University) obligation to protect human subjects and confirm the University s
More informationUSE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.
PRIVACY 3.0 USE AND DISCLOSURE REQUIRING AUTHORIZATION Scope: Purpose: All workforce members (employees and non-employees), including employed medical staff, management, and others who have direct or indirect
More informationCity and County of San Francisco Department of Public Health DPH Health Information Data Use Agreement
This form,, must be completed by researchers who propose to perform research using datasets generated from DPH sources. This Agreement is entered into by and between the City and County of San Francisco
More informationACGME BUSINESS ASSOCIATE AGREEMENT
ACGME Business Associate Agreement Template Clinical Site 8/1/2014 Institution Number (Insert name of sponsoring institution, co-sponsor, participating institution or clinical site and institution number
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Hybrid Entity Policy ISUPP 10010
POLICY INFORMATION Policy Section: Governance/Legal IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Hybrid Entity Policy ISUPP 10010 Policy Title: HIPAA Privacy - Hybrid Entity Policy
More informationSUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE
SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE Subject: USE OF LIMITED DATA SETS Page 1 of 3 No. HIPAA-27 Original Issue Date: 12/2003 Prepared by: Shoshana Milstein
More informationHIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE
HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE Policy Preamble This privacy policy ( Policy ) is designed to
More informationSUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS
HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts
More informationFACT Business Associate Agreement
Policy Document #: 2.1.003 Revision: 3 Valid Date: 27June2012 Page 1 of 2 Effective Date: 27Jun2012 FACT Business Associate Agreement 1.0 Purpose The purpose of this document is to establish terms for
More informationLast Approval Date: April 2017
Page 1 of 6 I. PURPOSE The purpose of this policy is to explain how workforce members of the Stanford University HIPAA Components (SUHC) must make reasonable efforts to limit their use or disclosure of
More informationEmma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements
POLICY INFORMATION Document # 900 Revision # 1.0 Safeguard: Administrative Title: Business Associate Agreements Prepared by: J. Black Approved by: Dean Beth E. Foley Print Date: 8/29/2016 Date Prepared:
More informationSTANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Parts 160 and 164]
STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Parts 160 and 164] OCR HIPAA Privacy Introduction This guidance explains and answers questions about key elements of the requirements
More informationRule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs
HIPAA Omnibus Final Rule Research Changes to the Privacy Rule and GINA Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs February 20, 2013 Research-Related Topics Research
More informationOCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC
Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative
More informationPREPARATORY TO RESEARCH & PRESCREENING Appreciating Our Differences
& PRESCREENING Appreciating Our Differences Gretchen McMasters, MBA, CIM, CIP, CHRC Northern Arizona Healthcare IRB Administrator HIPAA Privacy Rule at 45 CFR 164.512 Covered entities may use or disclose
More information1 Security 101 for Covered Entities
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationCHAPTER 33 HIPAA PRIVACY REGULATIONS
CHAPTER 33 HIPAA PRIVACY REGULATIONS I. INTRODUCTION The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress and signed into law by President Clinton in 1996. Most people
More informationSUBJECT: Disclosure and accounting of protected health information (PHI).
QUALITY IMPROVEMENT IMPLEMENTATION GUIDE EXERCISE 44, 9/2009 SUBJECT: Disclosure and accounting of protected health information (PHI). REFERENCES: DoD 6025.18-R, DoD Health Information Privacy Regulation
More information* Corporation General Partnership Limited Partnership LLC Sole Proprietorship Non Profit Other Accounts Payable: Name
INVACARE CORPORATION New Customer Change of Ownership Customer Credit Application *Legal Name of Business Trade Name (DBA) *Billing Address: Shipping Address (if different): *Federal Tax ID # * # of Years
More informationAS 3101, The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion
Page A1 1 APPENDIX 1 AS 3101, The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion Introduction.01 The auditor's report contains either an expression
More informationHealth and Welfare Plan Compliance Checklist
Health and Welfare Plan Compliance Checklist ERISA Disclosure Requirements, including Plan document Summary plan description (SPD) Summary of material modifications or reductions (SMM or SMR) Summary of
More informationTexas Tech University Health Sciences Center HIPAA Privacy Policies
Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 Reviewed Date: August 7, 2017 References: http://www.hhs.gov/ocr/hippa HSC HIPAA website http://www.ttuhsc.edu/hipaa/policies_procedures.aspx
More informationHEALTH INFORMATION PRIVACY POLICIES & PROCEDURES
Drs. Hammond and von Roenn HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES These Health Information Privacy Policies & Procedures implement our obligations to protect the privacy of individually identifiable
More informationBusiness Associate Agreement
Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into on the Effective Date of the Azalea Health Software as a Service Agreement and/or Billing Service Provider
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of the of, (the Effective Date ), by and between day hereafter referred to as ( Business Associate
More informationPrivacy Regulations HIPAA-Administrative Simplification Internal Assessment
Privacy Regulations HIPAA-Administrative Simplification Internal Regulation/Standard Use and Disclosure 164.502 Uses and disclosures of protected health information: general rules. (a) Standard. A covered
More informationCommon Rule Overview
Effective Dates Common Rule Overview The final rule is effective January 19, 2018 with the exception of cooperative research (mandated single IRB review) for which the compliance date is January 20, 2020.
More informationTHE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES
THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES Effective: November 8, 2012 Terms used, but not otherwise defined, in this Policy and Procedure have
More informationTexas Tech University Health Sciences Center El Paso HIPAA Privacy Policies
Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 References: http://www.hhs.gov/ocr/hipaa TTUHSC El Paso HIPAA website: http://elpaso.ttuhsc.edu/hipaa/ Policy Statement
More informationPursuing Research with an External Collaborator. June 6, 2018
Pursuing Research with an External Collaborator June 6, 2018 Course Objectives How to foster/ initiate collaborations with an external partner The necessary contracts to initiate working with an external
More informationDefinitions: Policy: Procedure:
PRIVACY 23.0 ACCOUNTING OF DISCLOSURES Scope: Purpose: All workforce members (employees and non-employees), including employed medical staff, management, and others who have direct or indirect access to
More informationRecord Management & Retention Policy
POLICY TYPE: Corporate Divisional EFFECTIVE DATE: INITIAL APPROVAL DATE: NEXT REVIEW DATE: POLICY NUMBER: May 15, 2010 May - 2010 March 2015 REVISION APPROVAL DATE: 5/10, 3/11, 5/12, 9/13, 4/14, 11/14
More informationOMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS
OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT Effective Date: September 23, 2013 RECITALS WHEREAS a relationship exists between the Covered Entity and the Business Associate that performs certain functions
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Agreement dated as of is made by and between, on behalf of its (School/Department/Division) (hereinafter referred to as Covered Entity ) and, (hereinafter Business Associate
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationInterpreters Associates Inc. Division of Intérpretes Brasil
Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable
More informationARTICLE 1 DEFINITIONS
[GPM Note: This Template Data Use Agreement is to be used when a covered entity seeks to disclose a limited set of PHI to another entity for research, public health, and/or health care operations purposes.
More informationHIPAA ADDENDUM TO SERVICE AGREEMENT
HIPAA ADDENDUM TO SERVICE AGREEMENT Business Associate Trading Partner and Chain of Trust THIS AGREEMENT made this 29th day of May, 2015, between, hereafter referred to as Covered Entity, and Commercial
More informationCentral Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4
Table of Contents A. Introduction...1 1. Purpose...1 2. No Third Party Rights...1 3. Right to Amend without Notice...1 4. Definitions...1 B. Plan s General Policies...4 1. Plan s General Responsibilities...4
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into this day of, 20, by and between the University of Maine System ( University ), and ( Business Associate ).
More informationAMERICAN BAR ASSOCIATION. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits
AMERICAN BAR ASSOCIATION Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits May 17, 2005 The following notes are based upon the personal
More informationO n Jan. 25, 2013, the U.S. Department of Health
Life Sciences Law & Industry Report Reproduced with permission from Life Sciences Law & Industry Report, 07 LSLR 220, 02/22/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into this day of, 20, by and between ( Covered Entity ) and the University of Maine System, acting through the
More informationDUA Toolkit. A guide to Data Use Agreements in the HMO Research Network
DUA Toolkit A guide to Data Use Agreements in the HMO Research Network Purpose and Description This guide was created to facilitate the establishment of Data Use Agreements (DUAs) for multi-site studies
More informationTerms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR and
This Business Associate Addendum, effective April 1, 2003, is entered into by and between Guilford County and/or Guilford County Department of Social Services and/or Guilford County Department of Public
More informationUCLA Health System Data Use Agreement
UCLA Health System Data Use Agreement The federal Health Insurance Portability and Accountability Act and the regulations promulgated thereunder (collectively referred to as the Privacy Rule ) permit the
More informationPIEDMONT ACCESS TO HEALTH SERVICES, INC. Contract Review and Approval
PIEDMONT ACCESS TO HEALTH SERVICES, INC. Policy Number: 01-04-005 SUBJECT: Contract Review and Approval EFFECTIVE DATE: 09/18/2013 REVIEWED/REVISED: 09/02/2014 PURPOSE: This policy defines appropriate
More informationGUIDANCE ON HIPAA & CLOUD COMPUTING
GUIDANCE ON HIPAA & CLOUD COMPUTING http://www.hhs.gov/hipaa/for-professionals/special-topics/cloudcomputing/index.html January 26, 2017 Health Care Cloud Coalition Deven McGraw, Deputy Director, Health
More informationMNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota
MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota 1. MNsure Duties A. Application Counselor Duties (a) (b) (c) (d) (e) (f) Develop and administer
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is entered into this day of, 20, by and between the University of Maine System acting through the University of ( University
More informationEXTERNAL IRB AUTHORIZATION AGREEMENT
North Carolina A&T State University EXTERNAL IRB AUTHORIZATION AGREEMENT This Agreement is entered into by and between the institutions identified below. Name of Institution Providing IRB Review ( Reviewing
More informationRECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:
This Business Associate Agreement ( BAA ) is entered into by and between NORCAL Mutual Insurance Company ( NORCAL ) and Insured/Applicant ( Covered Entity ) and is effective as of September 23 rd, 2013
More informationIHDE BUSINESS ASSOCIATE AGREEMENT (BAA)
IHDE BUSINESS ASSOCIATE AGREEMENT (BAA) This Business Associate Agreement (BAA) is entered into by and between the Covered Entity aka. Data Provider/User, (please enter name of organization) and the Business
More informationHIPAA s Medical Privacy Standards:
HIPAA s Medical Privacy Standards: The Long and Really Winding Road Michael D. Bell, Esq. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. Washington, D.C. (202) 434-7481 mbell@mintz.com The Health
More informationEmma Eccles Jones College of Education & Human Services
POLICY INFORMATION Document # 106 Revision # 1.0 Safeguard: HIPAA Privacy Title: Patient Right to Request an Accounting of s of PHI Prepared by: J. Black Approved by: Dean Beth E. Foley Print Date: 9/20/2016
More informationBUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)
BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate) This HIPAA Business Associate Agreement ( Agreement ) is entered into this day of, 20, by and between
More informationFrequently Asked Questions About the HIPAA Privacy Rule
1 October 2, 2002 Frequently Asked Questions About the HIPAA Privacy Rule Look for updates to these FAQs -- as OCR responds to questions & comments received at its website -- and updated guidance on significant
More informationHIPAA Privacy For our Group Customers and Business Partners
HIPAA Privacy For our Group Customers and Business Partners Independent licensee of the Blue Cross and Blue Shield Association HIPAA, The Health Insurance Portability and Accountability Act of 1996, established
More informationWhat do you need? Copy of HIPAA Policy on Accounting for Uses or Disclosures of Protected Health Information Department Disclosure Log(s)
HIPAA Privacy Procedure #3 Effective Date: April 14, 2003 Reviewed Date: February, 2011 Accounting for Uses or Disclosures of Revised Date: February, 2011 Protected Health Information Scope: Radiation
More informationHealth Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates
Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates I. OVERVIEW/DEFINITIONS The Health Insurance Portability and Accountability Act (HIPAA) is a federal
More informationState Data Requests Memo Introduction Defining research
Introduction The (CMS) is committed to better care, better health, and lower costs. As trusted partners in achieving these goals, we believe states should have access to Medicare data for research that
More informationEGYPTIAN ELECTRIC COOPERATIVE ASSOCIATION POLICY BULLETIN NO. 214A
CASH AND BENEFITS PLAN (SECTION 125 PLAN) HIPAA POLICIES AND PROCEDURES EFFECTIVE DATE: APRIL 14, 2004 It is the intent of the Egyptian Electric Cooperative Association (EECA) to comply in all respects
More informationHIPAA Privacy Rule. Positive Changes Affecting Hospitals Implementation of the Rule Melinda Hatton -- Oct. 31, 2002
HIPAA Privacy Rule Positive Changes Affecting Hospitals Implementation of the Rule Melinda Hatton -- Oct. 31, 2002 The Final Rule: Changes The purpose... is to maintain strong protections for the privacy
More informationLimited Data Set Data Use Agreement For Research
Limited Data Set Data Use Agreement For Research This Data Use Agreement is dated,, and is between the ( Recipient ) and University of Miami, ( Covered Entity ). This Data Use Agreement is made in accordance
More informationPRIVACY STANDARDS OVERVIEW
PRIVACY STANDARDS OVERVIEW Basic Requirements What Entities Are Covered Practical Effects BASIC REQUIREMENTS A Covered Entity may not use or disclose an individual s protected health information ( PHI
More informationPLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN
PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN The self-funded group health plan (the Plan ) that you, as an employer, sponsor is a Covered Entity as defined by the Health Insurance Portability and
More information